Code injection

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Aaron J 404 Solution.This issue affects 404 Solution: from n/a through 2.33.0...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in Doofinder Doofinder WP & WooCommerce Search.This issue affects Doofinder WP & WooCommerce Search: from n/a through 2.0.33...

Buffer overflow

Buffer Overflow vulnerability in Tenda i29 versions 1.0 V1.0.0.5 and 1.0 V1.0.0.2, allows remote attackers to cause a denial of service DoS via the pingIp parameter in the pingSet function...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in ?leanTalk - Anti-Spam Protection Spam protection, Anti-Spam, FireWall by CleanTalk.This issue affects Spam protection, Anti-Spam, FireWall by CleanTalk: from n/a through 6.20...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in Apollo13Themes Apollo13 Framework Extensions.This issue affects Apollo13 Framework Extensions: from n/a through 1.9.1...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in WP Zone Inline Image Upload for BBPress.This issue affects Inline Image Upload for BBPress: from n/a through 1.1.18...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in Designful Stylish Price List – Price Table Builder & QR Code Restaurant Menu.This issue affects Stylish Price List – Price Table Builder & QR Code Restaurant Menu: from n/a through 7.0.17...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in Icegram Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building.This issue affects Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building: from n/a through 3.1.18...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in Basix NEX-Forms – Ultimate Form Builder – Contact forms and much more.This issue affects NEX-Forms – Ultimate Form Builder – Contact forms and much more: from n/a through 8.5.2...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in NitroPack Inc. NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images.This issue affects NitroPack – Cache & Speed Optimization for Core Web Vitals, Defer CSS & JavaScript, Lazy load Images: from n/a...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in Awesome Support Team Awesome Support – WordPress HelpDesk & Support Plugin.This issue affects Awesome Support – WordPress HelpDesk & Support Plugin: from n/a through 6.1.5...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in PressTigers Simple Job Board.This issue affects Simple Job Board: from n/a through 2.10.6...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in WPClever WPC Product Bundles for WooCommerce.This issue affects WPC Product Bundles for WooCommerce: from n/a through 7.3.1...

Sql injection

SQL Injection vulnerability in Buy Addons baproductzoommagnifier module for PrestaShop versions 1.0.16 and before, allows remote attackers to escalate privileges and gain sensitive information via BaproductzoommagnifierZoomModuleFrontController::run method...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in Michael Winkler teachPress.This issue affects teachPress: from n/a through 9.0.4...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in WPChill Strong Testimonials.This issue affects Strong Testimonials: from n/a through 3.1.10...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in WhiteWP White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard.This issue affects White Label – WordPress Custom Admin, Custom Login Page, and Custom Dashboard: from n/a through 2.9.0...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in wp.Insider, wpaffiliatemgr Affiliates Manager.This issue affects Affiliates Manager: from n/a through 2.9.31...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in Smash Balloon Custom Twitter Feeds – A Tweets Widget or X Feed Widget.This issue affects Custom Twitter Feeds – A Tweets Widget or X Feed Widget: from n/a through 2.1.2...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in Marios Alexandrou Republish Old Posts.This issue affects Republish Old Posts: from n/a through 1.21...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in Wow-Company Floating Button.This issue affects Floating Button: from n/a through 6.0...

Heap overflow

IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+1cbf heap-based out-of-bounds write...

Heap overflow

IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+214f heap-based out-of-bounds write...

Cross site scripting

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in MojofyWP WP Affiliate Disclosure allows Stored XSS.This issue affects WP Affiliate Disclosure: from n/a through 1.2.7...

Authorization

Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.1...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in Ovation S.R.L. Dynamic Content for Elementor.This issue affects Dynamic Content for Elementor: from n/a before 2.12.5...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in WP Job Portal WP Job Portal – A Complete Job Board.This issue affects WP Job Portal – A Complete Job Board: from n/a through 2.0.6...

Heap overflow

IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+27ef heap-based out-of-bounds write...

Design/Logic Flaw

nbviewer-app aka Jupyter Notebook Viewer before 0.1.6 has the get-task-allow entitlement for release builds...

Stack overflow

route in main.c in Pico HTTP Server in C through f3b69a6 has an sprintf stack-based buffer overflow via a long URI, leading to remote code execution...

Stack overflow

handlerequest in http.c in cherry through 4b877df has an sscanf stack-based buffer overflow via a long URI, leading to remote code execution...

Design/Logic Flaw

Lotos WebServer through 0.1.1 commit 3eb36cc has a use-after-free in bufferavail at buffer.h via a long URI, because realloc is mishandled...

Crlf injection

PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack...

Design/Logic Flaw

Firefly III aka firefly-iii before 6.1.1 allows webhooks HTML Injection...

Cross site request forgery (csrf)

The Depicter Slider – Responsive Image Slider, Video Slider & Post Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.6. This is due to missing or incorrect nonce validation on the 'save' function. This makes it possible for...

Code injection

There is a DLL hijacking vulnerability in ZTE ZXCLOUD iRAI, an attacker could place a fake DLL file in a specific directory and successfully exploit this vulnerability to execute malicious code...

Code injection

httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written...

Path traversal

Path traversal in the static file service in Iodine less than 0.7.33 allows an unauthenticated, remote attacker to read files outside the public folder via malicious URLs...

Integer overflow

CommonMarker versions prior to 0.23.4 are at risk of an integer overflow vulnerability. This vulnerability can result in possibly unauthenticated remote attackers to cause heap memory corruption, potentially leading to an information leak or remote code execution, via parsing tables with marker...

Design/Logic Flaw

encodedid-rails versions before 1.0.0.beta2 are affected by an uncontrolled resource consumption vulnerability. A remote and unauthenticated attacker might cause a denial of service condition by sending an HTTP request with an extremely long "id" parameter...

Cross site scripting

govuktechdocs versions from 2.0.2 to before 3.3.1 are vulnerable to a cross-site scripting vulnerability. Malicious JavaScript may be executed in the user's browser if a malicious search result is displayed on the search page...

Race condition

A race condition exists in Audited 4.0.0 to 5.3.3 that can result in an authenticated user to cause audit log entries to be attributed to another user...

Cross site scripting

viewcomponent is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the...

Arbitrary file deletion

Jizhicms v2.5 was discovered to contain an arbitrary file download vulnerability via the component /admin/c/PluginsController.php...

Remote code execution

Tenda AX3 v16.03.12.11 was discovered to contain a remote code execution RCE vulnerability via the list parameter at /goform/SetNetControlList...

Design/Logic Flaw

A flaw was found in the ATA over Ethernet AoE driver in the Linux kernel. The aoecmdcfgpkts function improperly updates the refcnt on struct netdevice, and a use-after-free can be triggered by racing between the free on the struct and the access through the skbtxq global queue. This could lead to...

Cross site scripting

As a simple library, class.upload.php does not perform an in-depth check on uploaded files, allowing a stored XSS vulnerability when the default configuration is used. Developers must be aware of that fact and use extension whitelisting accompanied by forcing the server to always provide...

Sql injection

Travel Website v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'username' parameter of the signupAction.php resource does not validate the characters received and they are sent unfiltered to the database...

Cross site scripting

OCSInventory allow stored email template with special characters that lead to a Stored cross-site Scripting...

Remote code execution

SideQuest is a place to get virtual reality applications for Oculus Quest. The SideQuest desktop application uses deep links with a custom protocol sidequest:// to trigger actions in the application from its web contents. Because, prior to version 0.10.35, the deep link URLs were not sanitized...